Wednesday, November 30, 2016

My favorite guest blogger Arsh Arora, a malware analyst and Ph.D. researcher at UAB, is back with new and interesting facts about Kelihos, a botnet family that he has been tracking for a year and half and providing some great intel about to the community and law enforcement. Today, he noticed that it is delivering URLs leading to Troldesh ransomware. Take it from here, Arsh ...

No_More_Ransom, aka Troldesh encryption ransomware, is being delivered by Kelihos in the form of embedded URLs within the email messages. The delivery mechanism is similar to previous cases of ransomware spammed by Kelihos. In early July, Kelihos introduce itself to the world of ransomware by spamming links to Wildfire ransomware followed by CryptFIle2 ransomware in August. Then, it shifted its focus towards different banking trojans such as Panda Zeus, Nymain and Kronos. Now, it took a complete circle and struck back with Troldesh encryption ransomware. The funny thing is that the ransomware encrypted the files with the extension ".no_more_ransom". Moreover, the URLs spammed were redirected to download a JavaScript file and a Microsoft Word document. This is the first time that Kelihos malware has used JavaScript to infect users.

Another interesting observation was that this spam campaign was specifically geo-targeting Australian email addresses ending with ".au". ".pl" email users were getting dating spam, while ".us" extension emails were being invited to sign up as Money Mules. All other email TLDs were getting the traditional pharmaceutical spam.

NoMoreRansom aka Troldesh Ransomware

While doing the daily run of malware, one of my fellow researchers at UAB, Max Gannon, noticed a different behavior in the Kelihos botnet. It was sending embedded links using the Credit Debt theme. The most important fact is that some of the URLs were redirected to download a .zip file containing a JavaScript file, while other links download a Microsoft Word document. When writing this blog, most of the URLs were still live.

Subject: Please Settle Credit Arrears ShortlyDear Client!Our Credit Department has done research on your payment record for last year and learned that payments had not been made for last 3 months. We are now working on the issue pertaining to ways to help you with fulfilling liabilities and settling these arrears.At the same time, we realize you may have had excellent reasons for such payment breakdown. That is exactly why we are contacting you now. Notwithstanding, if you are not proceeding your debt settlement, we will have to engage our enforcement units in commencing the law-suit case against you. This is the compulsory measure, so unfortunately, we may not help you.Please process at least the very first payment at the earliest possible time. Else, charges may apply, and then the trial may be run.We have made the full report of your situation. It contains the payment history, the total debt amount effective today, and further recommendations on arranging the issue. Please open and be guided with instructions as soon as possible.The file can be found here: hxxp://greatwesternco[dot]com/wp-content/themes/twentyten/redirect[dot]phpSincerely Yours,Bank of AmericaCustomer Relations Department.

hxxp://starsounds[dot]net/wp-content/themes/twentyeleven/redirect[dot]php - Down

Infection by JavaScript has not been an associated behavior with Kelihos. Hence, it can be considered a noticeable change and well-thought out strategy by the bot operators.

Hashes of the JavaScript and Word document are:

1d57eba1cb761b99ffcf6bc8e1273e9c instructions.doc

711881576383fbfeaaf90b1d6c24fce0 instructions.js

On the other hand, embedded URLs for Microsoft Word documents have been seen before. The document performed in a similar fashion requesting to enable the macros by clicking "Enable Content" aka "Encrypt Me" button. After this process it downloads a payload from the following link:

After the file is downloaded, it encrypts the system with the Troldesh encryption ransomware and adds the "no_more_ransom" extension at the end of each file on the system. The ransom note on the desktop was displayed in Russian as well as English.

Fig. 2: Desktop screen after encryption

Fig. 3: Ransom Note found in text ReadMe.txt

All the important files on your computer were encrypted.

To decrypt the files you should send the following code:

xxxxxxxxxxxxxxxxxxxxx

to e-mail address 2Lynness.Taftfera1990@gmail[dot]com .

Then you will receive all necessary instructions.

All the attempts of decryption by yourself will result only in irrevocable loss of your data.

If you still want to try to decrypt them by yourself please make a backup at first because

the decryption will become impossible in case of any changes inside the files.

If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),

use the feedback form. You can do it by two ways:

1) Download Tor Browser from here:

https://www.torproject.org/download/download-easy.html.en

Install it and type the following address into the address bar:

http://cryptsen7fo43rr6.onion/

Press Enter and then the page with feedback form will be loaded.

2) Go to the one of the following addresses in any browser:

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

The above is a plain text version of the ransom note. As it can be seen, a Gmail address is being use, which is one of its kind behavior.

Troldesh did not stop trolling the victim there, it downloads the PONY malware and contacts its command and control center at this location:

hxxp://ipieceofcake[dot]com/wp-content/uploads/2016/04/gate[dot]php

When I visited the link it was down, but thanks to our Malware expert Neera Desai who works for PhishMe and is pursuing her Masters in Computer Forensics at UAB, we were able to visit the panel page of the Pony malware.

Fig. 4: Pony malware panel page

This was really fascinating as Kelihos spammed URLs for Troldesh encryption ransomware with redirects to a malicious Microsoft Word document and a zip file containing JavaScript. The files eventually encrypt the system but it also downloads the Pony malware to steal all the information from the victim's computer. Hence, causing a double blow to the victim.

Money Mule Spam

Kelihos botnet was not in a mood to stop. It also sent Money Mule spam geo-targeting users with the ".us" United States email address. It impersonated a company from 'China looking for employees'.

Other subject lines that were spammed in the same theme are mentioned below with their corresponding reply-to email address.

Subject - China company is looking for employees - kia01915@aol[dot]com

Subject - We are hiring new employees to our office - kia01915@aol[dot]com

Subject - We are hiring new employees to our office - bree10682@aol[dot]com

Subject - Job opportunity - marquerite23894@aol[dot]com

Subject - Open vacancy - marquerite23894@aol[dot]com

The other thing to note is that all of the email addresses use AOL domains, which is a unique thing in itself.

To conclude, Kelihos has been surprising the researchers quite often and it has become necessary to keep track of different activities of the botnet. The ransomware inclusion brings interesting twists from the research as well as law enforcement. Another thing that I found while searching for NoMoreRansom was a group established by key leaders in the community to fight against the rise of ransomware.

So is the extension of NoMoreRansom a challenge to the people fighting it? Who knows?

Wednesday, November 09, 2016

Kronos Banking Trojan and Geo-targeted attacks to Australia, Italy, United Kingdom and United States by Kelihos

I'm happy to welcome back guest-blogger Arsh Arora for another blog about the Kelihos botnet. This research is being conducted in our malware research lab at UAB by Arsh (PhD student) and Max Gannon, a malware researcher at UAB, who is about to graduate at the end of this semester and is looking for a job (hint to employers!)

Let’s start the story of the things happening with Kelihos botnet over the past couple of days. After laying low for past couple of weeks, it strikes back with authority. As observed previously http://garwarner.blogspot.com/2016/08/kelihos-botnet-sending-geo-targeted.html, Kelihos continue to geo-target different locations. First and foremost, it started by sending Money Mule spam to users in Italy, Australia, and the United Kingdom, if their email addresses ended with .it, .au, or .uk. Second, it targeted users in the United States to download a social media management tool “Kuku.io.” Because this was based on country-code targeted of ".us" it is more likely to impact people in education and local government, who are the main users of .us email addresses. As all these things were happening, it sneaked a malicious word document from a website and uploaded it on the desktop without any indication to the user of the download. The malicious document eventually delivers Kronos malware which is considered to be same as Zeus malware which was sent by Kelihos in August http://garwarner.blogspot.com/2016/08/kelihos-botnet-sending-panda-zeus-to.html. This behavior was bizarre and never observed before this event.

Money Mule Spam

A brief report of the various geo-targeted spam is provided
below.

1. Australia - Spam for email addresses ending with ".au"

Email text is as follows:

Subject: Available PositionHi,

The Successful Company is hiring full/part-time employee for an Administrative Assistant position(Customer Care Team) who can take a part oversee development projects in AU and NZ. Thisopportunity is smart for everybody who ready to work as little as a several hours per weekday,however you will apply for a full time position as well. Competent training programs are accessiblefor the applicants. Work experience isn't required at all.Please send your confirmation to this email cargoinvestmentmiltonlogistics@gmail[dot]com to get moredetails concerning a vacancy.Best Regards

cargoinvestmentmiltonlogistics@gmail[dot]com.

An interesting thing to observe in the body of the text is the special reference to development projects in AU and NZ. To infer, the email body and addresses are not random, but specifically targeted towards the Australian users.

3. UK - Spam for email addresses ending with".uk"

Subject: Wow amazing girl..Read that articleHey, what's up? Actually, for that long time we haven't been reaching each other, I've discovered a brilliant reading stuff. By now, 5 days I am stuck to it have already brought about 2,350 pound for me! I am talking about the soft trading market - it doesn't require any specific skills at it, all is automated.Flick the article through and write me something as you are in. By the way, get a chance to know how the stuff works with a demo!Take the best out of it!P.s. The article itself: hxxp://newsdep3-telegraph[dot]co/.

Interesting observation here is the fake url for The Telegraph newspaper. The spammers are trying to trick the user to visit the following link in disguise of telegraph newspaper.

Subject - Look what i found
Subject - Why work for your money when your money can work for you?
Subject - Wow amazing girl.. Read that article

When visited the URL it redirected to
hxxp://www[dot]talegraph[dot]co[dot]uk/investor/ideas/from-zero-to-hero-mom-vanessa-makes-8000-per-month
As it can be observed it redirects to talegraph[dot]co[dot]uk, not telegraph, which is hosted in Netherlands.

As it can be viewed, following is a fake website portraying telegraph newspaper.

Social Media Management Tool

Kuku.io It is well-known that people of United States are crazy about social media and get super excited whenever a new app or a tool gets launched. Recently, everyone went crazy after the launch of Pokemon Go. This reaction forced the threat actors to change their way of attacks by focusing on the social media market. There were different malware being developed to exploit this weakness of the users. in a recent blog post, I mentioned how scammers were fooling people to buy cheat codes that never existed http://garwarner.blogspot.com/2016/07/pokemon-go-invitation-to-spammers.html. In continuation to these attacks, the Kelihos spammers are now inviting users to download Kuku.io, a social media management tool. The following spam is explicitly targeting email addresses ending with ".us," because of the popularity and use of social media in the United States.Email being spammed is as follows:Subject: Need your opinion

Hi,I'm with Kuku.io, it's a social media management tool the key characteristic of which is to schedule and createcontent on various networks at the same time. What's more you also encourage your clients to share, like andfollow your posts.Since we are connected in LinkedIn I thought it would be a good idea if I asked for your views on our product.Check us out at: hxxps://kuku[dot]io/a/msI appreciate your time. I'm looking forward to receiving any of your comments!

Kronos Banking Trojan

Now let's get to the sneaky part performed by Kelihos, which is dropping a malicious word document on the desktop. While doing his daily chores of running Kelihos malware and collecting the spam sent, Max found that a document named 'oldversion' was placed on the desktop. It was strange and we have never seen this behavior previously.

An interesting string found in the process hacker was " UPLD save to: C:\Users\malware\Desktop\oldversion.doc"

Out of curiosity and to do more in-depth research, I decided to click the document. The document did not disappoint and asked for two of my favorite things when viewing a word document.

Enable Editing

The document was opened in Protected view and after clicking 'Enable Editing,' it asked to "Enable Content.

Enable Content

After clicking 'Enable Content,' It spawns a child process with the name '24580.exe' and then another child process was launched with the name of "svchost.exe". The process killed itself and did not run properly.Hence, I have to put it into OLLYDBG to get the malware working. On further observations in the debugger, I found that it was checking for virtual machine. Hence, it was vmware aware and killed itself instantaneously. But before it killed itself, I found the following string in the "svchost.exe" in the debugger, which mentioned the malware to be Kronos.

Hence, it can inferred that the following malware is Kronos. In order to be double sure, I repeated the process by downloading the malicious document and running it again.This time I was able to gather more information, once the document is activated by 'Enable Content,' it grabs the downloader from the following url:hxxp://topswingusa[dot]top/qivi/mswords2k8[dot]exe, which is hosted on the same IP 167[.]88[.]160[.]146. Once the file "mswords2k8[dot]exe was obtained, it spawned a third process named as "MSOSQM", which was Kronos malware. On further scrutiny, I found that both the downloaders "24580.exe" and "mswords2k8[dot]exe" have the same MD5 hash, 547890EA5FD8374383E0663223B5A26F.

Downloader and Kronos malware

Another interesting observation found in the debugger is presence of a string named "BOTID"

BOTID found in OLLYDBG

Researchers are still working on trying to find more about the significance of BOTID. Hopefully, everyone will be updated soon with the findings.

Wednesday, November 02, 2016

This week, NullCrew hacker "Orbit" who is known to his jailers as Timothy French, was sentenced to 45 months for his role in several high profile hacking cases, including the University of Hawaii, the University of Virginia, the State Department, and Bell Canada. The Criminal Complaint released by the Department of Justice has many more details.

For some reason, despite the criminal prosecution, one of the two official Twitter accounts of NullCrew is still live as of this writing. The founders of NullCrew loved to depict themselves as ASCII Art aliens in their old-school-style ezine, FTS (Fuck The System), which made it to issue #5 before they began being arrested. (FTS Issue #5 is available at exploit-db.comhttps://www.exploit-db.com/papers/32984/ )

Time Warner - March 6, 2013

FTS2014 will give you a sense of the way these guys think. By the way, all of the Twitter accounts they claimed to be using in this magazine are still live today. ( @NullCrew_FTS, @siph0n_NC, and @zer0pwn)

The 40,000+ userids and passwords, dumped from a database server, are still available online.

Catching Orbit

Orbit was primarily caught because there was a snitch within NullCrew. The snitch, described as a "CW" in the criminal complaint, or "Collaborating Witness", wanted to be able to tweet "officially" for NullCrew, and was granted permission to the shared Twitter account. Once the CW had access, they checked the login history and found an IP address in Morristown, TN. Charter Communications was able to provide a subscriber street address for the IP 24.151.251.118. This IP came up repeatedly in the course of the investigation, being used to plant a hacked .php page on a University server, regular accessing a shared hacking platform in Chicago and more in hacked business accesses.

My favorite story, however, was of the auto accident.

(Updated: the admins of siph0n.net contacted me to make clear that their site has no association with siph0n the NullCrew member. We've removed that portion of this article at their request.)

Getting to the Sentence

Part of the defendant's problem as sentencing approached was that Mr. French, who goes by the name "TJ" for "Timothy Justen", boasted over much about his association with many truly evil hackers over the years. TJ claimed, according to his pre-sentencing memo, did claim to be a member of Team Poison, but denied emphatically that he had been involved with the TeamPoison April 2012 hacks against NATO and the United Nations, and the August 2011 hacks against NASA. TeamPoison was run by Trick, aka Junaid Hussain, who was recently killed by a Hellfire Missile strike after becoming the leader of ISIS's hacking forces, and repeatedly hacking the Department of Defense.

Zer0pwn, one of the other arrested members of NullCrew, updated his Twitter profile to give as his description "victim of sabu's wrath" implying that perhaps Sabu was involved with their arrests.

Facing a possible seven year sentence, one of the things the defendant appealed to was the relatively lenient sentences for people who had performed similar crimes. TJ's attorney appeals to cases such as Nicholas Knight (from Team Digi7al) who confessed to hacking DHS, the National Geospatial Intelligence Agency, and assorted universities and businesses but was only sentenced to 24 months. He lists several other cases, but comes back to a 17-year old hacker who also received only 24 months, concluding:

"This 24-month sentence alone compels a sentence for TJ far below the government's asserted guideline range in order to avoid unwarranted disparities." (We wrote previously about how these "slap on the wrist" sentences were leading to others charging "unwarranted disparities" on behalf of their clients. See: "Hacking, Carding, SWATting and OCD: The Case of Mir Islam"

Several of my professional colleagues have commented that this sentence seems to hefty, but they were unaware of the extent of the damages to Bell Canada. While Null (the Quebec citizen) identified the breach potential, it was Mr. French that took that information and used it to rampage through the files of Bell.ca. "According to prosecutors, million of files were exfiltrated and 300,000
of them contained client information. At the time of the hack, Bell
Canada said 22,421 login and password combinations along with five
credit card numbers were exposed, but court documents indicate the
number was smaller. Orbit later allegedly posted approximately 12,700
logins and passwords online and Tweeted a link to the data."